## A kilobit special number field sieve factorization (2007)

Venue: | IN ADVANCES IN CRYPTOLOGY – ASIACRYPT 2007 (2007), LNCS |

Citations: | 17 - 5 self |

### BibTeX

@INPROCEEDINGS{Aoki07akilobit,

author = {Kazumaro Aoki and Jens Franke and Thorsten Kleinjung and Arjen K. Lenstra and Dag Arne Osvik},

title = {A kilobit special number field sieve factorization},

booktitle = {IN ADVANCES IN CRYPTOLOGY – ASIACRYPT 2007 (2007), LNCS},

year = {2007},

pages = {1--12},

publisher = {Springer–Verlag}

}

### OpenURL

### Abstract

We describe how we reached a new factoring milestone by completing the first special number field sieve factorization of a number having more than 1024 bits, namely the Mersenne number 2 1039 − 1. Although this factorization is orders of magnitude ‘easier ’ than a factorization of a 1024-bit RSA modulus is believed to be, the methods we used to obtain our result shed new light on the feasibility of the latter computation.

### Citations

255 | Selecting Cryptographic Key Sizes
- Lenstra, Verheul
(Show Context)
Citation Context ...d that where T(1024) T(768) 1 T(768) < × 5 T(512) , T(b) = exp(1.923 ln(2 b ) 1/3 (ln(ln(2 b ))) 2/3 ) is a rough growth rate estimate for the run time of NFS when applied to a b-bit RSA modulus (cf. =-=[10]-=-). A more precise estimate, involving the o(1) which we omitted in T(b), would result in a value that is even smaller than 1. This means that by the 5 time we manage to factor a 768-bit RSA modulus—so... |

233 |
Factoring Integers with Elliptic Curves
- Lenstra
- 1987
(Show Context)
Citation Context ...es. In particular, they may have factors that could relatively easily be found using factoring methods different from SNFS, such as Pollard’s p − 1 or ρ method, or the elliptic curve method (ECM, cf. =-=[11]-=-). Thus, for all kilobit special form numbers under consideration, we first spent a considerable ECM effort to increase our confidence that the number we would eventually settle for would not turn out... |

126 |
The Development of the Number Field Sieve
- Lenstra, Lenstra
- 1993
(Show Context)
Citation Context ...web (cf. [15]). There is no need to duplicate any of these previous efforts for the purposes of the present paper. It suffices to know that both SNFS and NFS consist of the following major steps (cf. =-=[9]-=-). Polynomial selection. Decide on polynomials to sieve with. For SNFS this does not require any computational effort, for NFS it pays off to spend a considerable effort to find ‘good’ polynomials. Si... |

58 |
Solving homogeneous linear equations over GF[2] via block Wiedemann algorithm
- Coppersmith
- 1994
(Show Context)
Citation Context ...8 hours on 64 cores at the University of Bonn. On 72 cores at EPFL it took a bit less than 7 hours. 5.1 The block Wiedemann algorithm We give a brief description of the block Wiedemann algorithm (see =-=[6]-=-, and for the Berlekamp-Massey algorithm [17]). Let B be a d × d matrix over F2. The block Wiedemann algorithm depends on two parameters m, n ∈ N and heuristically finds 6sn solutions of Bv = 0. For o... |

52 |
A Block Lanczos Algorithm for Finding Dependencies over
- Montgomery
- 1995
(Show Context)
Citation Context ... ability to spread the computation across different clusters is the crucial difference between our block Wiedemann approach and many previous factoring efforts that relied on the block Lanczos method =-=[5,12]-=-. Unlike block Wiedemann, block Lanczos does not allow this type of independent distribution, roughly speaking because it requires the inversion of an n×n matrix modulo 2 per iteration, which would ob... |

40 | A Tale of Two Sieves
- Pomerance
- 1996
(Show Context)
Citation Context ...hat our result should be reported in the cryptologic literature. Descriptions of the SNFS and NFS catering to almost all levels of understanding are scattered all over the literature and the web (cf. =-=[15]-=-). There is no need to duplicate any of these previous efforts for the purposes of the present paper. It suffices to know that both SNFS and NFS consist of the following major steps (cf. [9]). Polynom... |

32 | Factorization of a 512-bit RSA Modulus
- Cavallar, Dodson, et al.
- 2000
(Show Context)
Citation Context ...SA moduli for more than a few years to come. To illustrate, substantiate, and quantify this remark, note that the first published factorization of a 512-bit RSA modulus is less than a decade ago (cf. =-=[4]-=-) and that where T(1024) T(768) 1 T(768) < × 5 T(512) , T(b) = exp(1.923 ln(2 b ) 1/3 (ln(ln(2 b ))) 2/3 ) is a rough growth rate estimate for the run time of NFS when applied to a b-bit RSA modulus (... |

28 |
Solving linear equations over GF(2): block Lanczos algorithm. Linear Algebra and its Applications
- Coppersmith
- 1993
(Show Context)
Citation Context ... ability to spread the computation across different clusters is the crucial difference between our block Wiedemann approach and many previous factoring efforts that relied on the block Lanczos method =-=[5,12]-=-. Unlike block Wiedemann, block Lanczos does not allow this type of independent distribution, roughly speaking because it requires the inversion of an n×n matrix modulo 2 per iteration, which would ob... |

18 | Subquadratic computation of vector generating polynomials and improvement of the block Wiedemann algorithm
- Thomé
(Show Context)
Citation Context ...n. On 72 cores at EPFL it took a bit less than 7 hours. 5.1 The block Wiedemann algorithm We give a brief description of the block Wiedemann algorithm (see [6], and for the Berlekamp-Massey algorithm =-=[17]-=-). Let B be a d × d matrix over F2. The block Wiedemann algorithm depends on two parameters m, n ∈ N and heuristically finds 6sn solutions of Bv = 0. For our matrix d = 66, 178, 354 and we used m = 51... |

13 | Strategies in Filtering in the Number Field Sieve
- Cavallar
(Show Context)
Citation Context ...t) pair occurs that does not occur in any other relation. This step is combined with the search for cliques, i.e., combinations of the relations where the large primes match up, as fully described in =-=[3]-=-. This took less than 4 days on single cores of 113 3GHz Pentium D processors. Finally, the same hardware was used for 69 hours for a final filtering step that produced a 66, 718, 354 × 66, 718, 154 m... |

12 | A Montgomery-like square root for the number field sieve
- Nguyen
- 1998
(Show Context)
Citation Context ...tion of a square root of a huge algebraic number that factors into small prime ideals whose norms are known. To calculate this square root we used Montgomery’s square root method [13] as described in =-=[14]-=- and implemented by Friedrich Bahr as part of his diploma thesis. The first three solutions all led to the trivial factorization, the fourth one produced the following 80-digit prime factor 5585366661... |

5 |
Cofactorisation strategies for the number field sieve and an estimate for the sieving step for factoring 1024-bit integers
- Kleinjung
(Show Context)
Citation Context ... than 2 105 . Also, cofactor pairs were not considered for which the quotient of the probability of obtaining a relation and the time spent on factoring was below a certain threshold, as described in =-=[8]-=-. 4sAfter a period of about 6 months, at first using PCs and clusters at NTT and the University of Bonn, but later joined by clusters at EPFL, we had collected 16, 570, 808, 010 relations. Of these re... |

3 |
Square roots of products of algebraic numbers, http://ftp.cwi.nl/pub/pmontgom/sqrt.ps.gz
- Montgomery
(Show Context)
Citation Context ... involves the computation of a square root of a huge algebraic number that factors into small prime ideals whose norms are known. To calculate this square root we used Montgomery’s square root method =-=[13]-=- as described in [14] and implemented by Friedrich Bahr as part of his diploma thesis. The first three solutions all led to the trivial factorization, the fourth one produced the following 80-digit pr... |

2 |
R311 is factored by ECM
- Aoki, Shimoyama
- 1993
(Show Context)
Citation Context ...me bound), and 10 311 − 1 was similarly ruled out after ECM found a 64-digit factor (11,214 curves with 850M as first phase bound and corresponding GMP-ECM 6.0 default second phase bound 12,530G, cf. =-=[2]-=-). The 307-digit number (2 1039 − 1)/5080711 withstood all our ECM efforts: 1,472 curves with first and second phase bounds 850M and 12,530G, respectively, and 256,599 curves with bounds 1,100M and 2,... |

1 |
Continued fractions and lattice sieving; proceedings SHARCS 2005; http: //www.ruhr-uni-bochum.de/itsc/tanja/SHARCS/talks/FrankeKleinjung.pdf
- Franke, Kleinjung
(Show Context)
Citation Context ...and to about 2.5 relations per seconds per core. The relations required more than a terabyte of diskspace, with copies held at NTT, EPFL, and the University of Bonn. We used the sieving software from =-=[7]-=-. 4 Filtering Because of the special q’s the raw data as produced by the sieving step will contain a considerable number of duplicates. In our case 2, 748, 064, 961 duplicates were identified, resulti... |